SBOM Masterclass
SBOM Masterclass

By Anant Srivastava & Kumar Ashwin


SBoM's are one of the most focused entities in current secure development paradigm. However, focus is solely on creation of SBoM owing to its compliance requirements it's been focused as another checkbox at this point. However, SBoM's for the first time in a long run is trying to solve the right problem i.e. Inventory.
While we believe that SBoM on its own is not the final solution for supply chain security issues, we also strongly believe it's a solid step in the right direction. Hence, we have come up with this SBoM Masterclass where we wanted to focus on not just creation but consumption and usage of SBoM. SBoM being the inventory has a myriad usage that goes beyond the limited scope of just thirdparty library vulnerability status detection. This course focuses on different usage and identifies scenarios where SBoM would be useful.


  • Software Developers and Engineers
  • IT Managers
  • Security Analysts
  • DevOps Practitioners
  • CTOs and Decision Makers in IT


Beginner / Intermediate

A!endees need to have a basic understand of software development life cycle. We will cover SBoM from start to finish but awareness of general development practices, git and GitHub usage is expected from them. Course assumes basic familiarity with command-line and Linux.


  • Very Detailed step by step instruction manual for all challenges covered during the class.
  • A Slide deck containing the slides covered during the class.
  • A set of Cloud Virtual Machine with all required tools pre-configured.


Our labs are cloud based, and a browser should be sufficient. However, we will still suggest following hardware specs:

  • Laptop with working browser & unrestricted internet access (at least port 80 and 443. However, some web-socket connections might be required.)
  • We would still recommend bringing a laptop with full administrative access in case any troubleshooting is required.

A!endees will need to come with a GitHub account. A fresh organization would be created for all the operations. Any other associated tooling will be provided over a cloud VM for this activity.


Supply chain security is an ever-present threat looming over organizations. Software Bill of Materials (SBOMs) are a critical piece of the puzzle, yet the process of creating, managing, and utilizing SBOMs is enveloped in mystery for many. This training demystifies the subject, offering hands-on expertise to practitioners caught during this challenge. This masterclass adopts a practical and focused approach, starting with an understanding of what SBOMs are, followed by the processes of creating, storing, and validating them. We then delve into how maintaining such an inventory can help organizations prioritize their security efforts from a supply chain perspective.


Day 1

SBoM Basics

  • Understanding Supply Chain Security
  • Where does SBoM Fit into the Picture
  • Basics of SBoM: Introduction to SBOM concepts, purposes, and benefits.
  • Types of SBoM: Overview of different SBOM formats. (SPDX, SWID, CycloneDX)

Creation and Validation of SBoM

  • How to Create SBoM
  • How to Establish Provenance
  • Where to Store Provenance
  • How to Validate Provenance
  • How to Create SBoM Automatically
  • Full Cascading SBoM (all encompassing SBoM's for multi level dependency tree)

How to Use SBoM

  • SBoM for Dependency Upgrades for Projects: Managing and upgrading project dependencies.
  • SBoM for Vulnerability Identification: Leveraging SBOM for vulnerability detection.
  • Identifying Your Most Used Third-Party Dependencies across projects.
  • Understanding dependency usage patterns.
  • Dependency Map Across Projects: Visualizing dependencies and their relationships.
  • Auditing Projects Using SBOM: Conducting project audits using SBOM data.
  • License Validation via SBOMs: Ensuring licensing compliance.

Day 2

Enhancing SBoM

  • Isolate False Positives: Differentiating real threats and false positives.
  • VDR and VEX Reports: Utilizing VDR and VEX in the SBOM context.
  • Advanced Dependency Tracking: Deeper analysis of indirect dependencies.
  • Automated Compliance Checks: Ensuring SBOM compliance with automation.
  • SBOM Data Visualization: Visual tools for complex dependency analysis.
  • Integrating SBOM with Incident Response Plans: Leveraging SBOM in cybersecurity incidents.

Beyond SBoM

  • Cryptographic Bill of Material
  • SaaS Bill of Material
  • More xBoM's and how to generate them

Trainer Bio

Anant Shrivastava

Anant Shrivastava is a highly experienced information security professional with over 15 years of corporate experience. He is a frequent speaker and trainer at international conferences, and is the founder of Cyfinoid Research, a cyber security research firm. He leads open source projects such as Tamer Platform and CodeVigilant, and is actively involved in information security communities such as null, OWASP and various bsides and defcon groups.

Kumar Ashwin

Kumar Ashwin is a seasoned security professional with expertise in web, cloud, and software supply chain security. He's active in security communities like The Open Security Community and DEFCON Cloud Village, contributing through talks and developing Capture The Flag challenges. Ashwin's experience spans from offensive security to security engineering, providing unique insights at conferences like x33fcon and BSides. He plays a key role in enhancing organizational security postures. Discover more at his blog:


©2024 BSides GOA All rights reserved